Presentation is loading. Please wait.

Presentation is loading. Please wait.

SAK 4801 INTRODUCTION TO COMPUTER FORENSICS Chapter 6 Acquiring Data, Duplicating Data and Recovering Deleted Files Mohd Taufik Abdullah Department of.

Similar presentations


Presentation on theme: "SAK 4801 INTRODUCTION TO COMPUTER FORENSICS Chapter 6 Acquiring Data, Duplicating Data and Recovering Deleted Files Mohd Taufik Abdullah Department of."— Presentation transcript:

1 SAK INTRODUCTION TO COMPUTER FORENSICS Chapter 6 Acquiring Data, Duplicating Data and Recovering Deleted Files Mohd Taufik Abdullah Department of Computer Science Faculty of Computer Science and Information Technology University Putra of Malaysia Room No: 2.28 Portions of the material courtesy Nelson et. al., and EC-Council

2 Learning Objectives At the end of this chapter, you will be able to:
Determining the best data acquisition methods Understanding data recovery contingencies Data preservation commands Recover deleted files and deleted partitions The need for data duplication Data duplication tools

3 Chapter 6 Outline 6. Acquiring Data, Duplicating Data, and Recovering Deleted Files 6.1. Introduction 6.2. Recovering Deleted Files and Deleted Partition 6.3. Data Acquisition and Duplication

4 6.1 Introduction

5 6.1 Introduction Before data can be analyzed, it needs to be acquired.
This means that the data needs to be duplicated so that the person performing the analysis can work from it without modifying the data. This means using any number of tools to duplicate the data so that an exact sector-by-sector mirror image of the disk is generated. This enables the forensic analyst to view any data that is hidden, fragmented, or deleted. Whether data is being duplicated as part of a computer forensic investigation or to acquire a backup of the data for other purposes, it is important that the original data is not modified or corrupted during the duplication process.

6 Deleted data can be an issue in any situation dealing with computers.
6.1 Introduction (Cont.) Deleted data can be an issue in any situation dealing with computers. A file may be deleted on purpose or by accident, as a normal process of an application, or as the result of a virus, intrusion, or malicious software. In some cases, an entire partition may be lost, causing everything on a volume to appear unrecoverable.

7 6.2 Recovering Deleted Files and Deleted Partitions

8 Recovery of deleted files is the process by which the investigator evaluates and extracts deleted files from a media and returns it in an intact format What happens when a file is deleted? The first letter of a file name is replaced by a hex byte code E5h Corresponding clusters in FAT marked unused Index field in MFT marked with special code NTFS The Data in the File system is not erased When files are deleted from windows explorer, the deleted file is sent to the Recycle Bin After the Recycle Bin is emptied the data still remains in its original location on the hard drive for a period of time The data will disappear only when the operating system is over written from the original location where the file was stored The “index” application in Windows locates the data that has been destroyed

9 6.2.1 Deleting Files Every OS provides a way of removing data from a hard disk to prevent it fill up quickly from all temporary files, backup files, and other data written to a disk by the OS or other software installed on a computer. A deleted file is any file that has been logically erased from the file system but may still remain physically on storage media. Command line Delete the FAT file system uses a file allocation table to keep track of files, whereas NTFS uses an MFT. In using this command, the file that is deleted will have the pointer to that file removed from the table, but the data will remain on the hard disk. This gives you the opportunity to acquire the data using file recovery or forensic tools

10 6.2.1.1 Command Line Delete Deletes file from command prompt
Two command: Del/Delete Erase

11 6.2.1.1 Command Line Delete (Cont.)
DEL/ERASE Switches: /p - prompts you for confirmation as to whether you want to delete the file /f - Forces the deletion of read-only files /s - Deletes the specified files from the current directory and any subdirectories /q - Specifies not to prompt for confirmation before deleting files. This is called quiet mode. /a: - Deletes files based on the following attributes: ■ r read-only ■ a archive ■ s system ■ h hidden ■ - prefix used with any of the above attributes, indicating “not” /? - Displays help

12 Another method of deleting a file
Moving Files Another method of deleting a file If the file is moved from one directory to another on the same partition, the table used to keep track of where files are stored is updated. the file still resides on the same partition, only a pointer to the file’s location is updated. The record showing the file’s location is modified to reflect that it is now in another directory, but nothing else about the file changes.Any attributes on the file (such as whether the file is compressed) remain the same.

13 When a file is moved from one hard disk or partition to another,
Moving Files (Cont.) When a file is moved from one hard disk or partition to another, it is actually a multistep process of copying and deleting the file. First, a new copy of the file is created on the target partition. After the file has been copied, the original file is then deleted. This process also requires some housekeeping in the FAT or MFT tables. A new entry is created in the table on the partition where it has been copied, whereas the record for the deleted file is removed from the table on its partition.

14 Moving Files (Cont.) When a file is moved from one partition to another, it can offer greater possibilities for recovering a file that has been deleted. If a file is moved to another partition and then deleted later, the file has essentially been deleted twice. As such, you may be able to recover it from the partition on which it was deleted, and you may also be able to recover it from the partition from which it was moved.

15 6.2.1.3 Disk Cleanup Another way in which files are deleted
This is done by software after itself deleting old setup, temporary, and backup files when they are no longer needed However, sometimes files are not properly removed, and a considerable number of files may continue to reside on a hard disk Command: Click Windows Start menu All Program Accessories System Tools Disk Cleanup

16 6.2.1.4 Permanently Destroying Data
Disk erasing software wipes the disk clean by erasing all the files and overwriting the disk space with a series of ones and zeros In doing so, every sector of the disk is overwritten, making the data unrecoverable. If anyone attempted to recover data on the disk, they would not be able to retrieve anything because the data is completely destroyed. A degausser or bulk demagnetizer is hardware that can be used to destroy data stored on magnetic media such as floppy disks and backup tapes. a powerful magnet that erases all data from magnetic media so that no one can retrieve information from it. Hard disks can also have data erased with a degausser, performing a low-level format that erases all data from the disk.

17 6.2.2 Recycle Bin/Trash a repository where files are temporarily stored after they are deleted give users a second chance to restore a file before permanently deleting it allows items to be dragged and dropped into the Recycle Bin icon on the desktop When a file is deleted it is sent to the Recycle Bin where it remains until the Recycle Bin is emptied The Restore All button of the recycle bin restores the data to its original location. Once data is deleted from removable media such as floppy disks these files are not stored in the Recycle Bin

18 6.2.2 Recycle Bin/Trash (Cont.)
Storage Location of the Recycle Bin. The name of this folder depends on the file system and operating system being used: On FAT file systems, the folder is named Recycled. For example, on your C: the storage location of the Recycle Bin would be C:\RECYCLED. On NTFS file systems used by Windows NT, 2000, and XP, this folder is named Recycler. For example, on your C: the storage location of the Recycle Bin would be C:\RECYCLER. On NTFS file systems used by Windows Vista, this folder is named $Recycle.Bin. For example, on your C: the storage location of the Recycle Bin would be C:\RECYCLE.BIN

19 6.2.2 Recycle Bin/Trash (Cont.)

20 6.2.2 Recycle Bin/Trash (Cont.)
To view these directories, you would need to configure the View settings in Windows Explorer In Windows Explorer, click on the Tools menu, and then click on the Folder Options menu item. When the Folder Options dialog box appears, click on the View tab, and uncheck the Hide protected operating system files (Recommended) checkbox. If directory for Recycle Bin is not appeared, type Attrib –s –h recycled - for FAT Attrib –s –h recycler – for NTFS Deleting or emptying files from the Recycle Bin permanently deletes them from system They can be recovered only with data recovery or forensic software.

21 6.2.3 Data Recovery in Linux Linux or UNIX files can also be deleted from a hard disk in the same way as in Windows and Macintosh OS To delete a file in Linux or UNIX, you would use rm command. This command won’t prompt you for any confirmation by default Once it is deleted, you will have to rely on data recovery software to restore the file. rm switches

22 6.2.3 Data Recovery in Linux (Cont.)
The second extended file system (ext2) file system is commonly used in most of Linux systems The design of the ext2 filesystem is such that data can be hidden shows several places where data can be hidden Run a process that keeps the file open and then remove the file The file contents are still on disk and the space will not be reclaimed by other programs It is worthwhile to note that if an executable erases itself, its contents can be retrieved from /proc memory image: command "cp /proc/$PID/exe /tmp/file" creates a copy of a file in /tmp

23 6.2.3 Data Recovery in Linux (Cont.)
shred command Provides a more secure way for deleting files in Linux and UNIX The file is deleted and overwritten to ensure that it can’t be recovered shred switches

24 6.2.3 Data Recovery in Linux (Cont.)
Tools E2undel e2Undel is an interactive console tool that recovers the data of deleted files in Linux. This tool does not manipulate internal ext2 structure and require only read access to the file system. e2Undel contains a library that allows the investigator to recover deleted files by their names.

25 6.2.3 Data Recovery in Linux (Cont.)
Tools R-linux R-Linux recovers files from existing logical disks even when file records are lost R-Linux is a file recovery utility for the Ext2FS file system used in Linux OS and several Unix versions R-Linux uses unique IntelligentScan technology and a flexible parameter setting that makes recovery faster

26 6.2.4 Recovery Deleted Files
Data written on a hard disk generally stays there unless or until it is either overwritten by more data or physically erased by a magnet Simply deleting the data using operating system file management utilities does not get rid of the data. It only removes the pointer used by the file system to locate that data physically on the disk. The data itself (in the form of the physical changes to the disk’s magnetic surface) is still there and can be recovered using special recovery software. Formatting defines the structure of the disk. Low-level formatting (LLF), which physically defines where the tracks and sectors are on the disk, does erase data. However, modern disks are formatted at the low level at the factory; users do not perform LLF on today’s IDE and SCSI disks.

27 6.2.4 Recovery Deleted Files (Cont.)
We do only high-level formatting – a disk is formatted in FAT or formatted in NTFS. If a file has not been overwritten or damaged in some way, there is always the chance that tools can be used to restore the data. We need to decide whether to perform data recovery or computer forensics. Data recovery is a process of salvaging data that was lost or deleted. Seeks to restore data Computer forensics is a process of gathering and examining evidence to establish facts so that accurate testimony and evidence can later be presented in court or other hearings. Seeks to obtain data to be used as evidence in court Standard data recovery software may not guarantee that the file won’t be modified when it is recovered, or May generate temporary files that could damage other data on the disk

28 6.2.4 Recovery Deleted Files (Cont.)
To preserve data, computer forensics software is necessary When using tools, remember that the integrity of the data you are seeking to recover is paramount, and take whatever actions necessary to keep it from being damaged or destroyed.

29 6.2.5 Deleted File Recovery Tools
Data recovery tools are designed to restore data that has been deleted or corrupted from any number of sources, including hard disks, CDs, DVDs, Blu-ray, HD-DVD, floppy disks, memory cards used in digital cameras, and other storage media. it will scan the media and search for any damaged, corrupted, or deleted files and display which ones are available for recovery, allowing you to choose which ones will be restored. In some cases, the tools will even repair damaged files so that data can be accessible again.

30 6.2.5 Deleted File Recovery Tools (Cont.)
Undelete Tools: Undelete Used in MS-DOS 5.00 to 6.22 Example Undelete c:\mytextfile.txt Undelete switches /all Automatically restores all of the specified files /list Lists all files that are available to be restored /DOS Limits recovery to files that meet the file specifications in the disk directory table /DR Limits recovery to files in the Delete Tracking File /DS Limits recovery to files in the SENTRY directory /load Loads UNDELETE.EXE into memory using information in the UNDELETE.INI /unload Unloads UNDELETE from memory /purge Deletes contents of the SENTRY directory

31 6.2.5 Deleted File Recovery Tools (Cont.)
Undelete Tools: Undelete switches: /status Displays the type of delete protection on the computer /S Loads the memory resident portion of UNDELETE and enables the Delete Sentry level of protection /T Loads the memory resident portion of UNDELETE and enables the Delete Sentry level of protection. Optional entries may be used to specify the maximum number of entries found in the PCTRACKR.DEL file. UNDELETE and Active UNERASER Designed by Data Recovery Software Data recovery software Active UNDELETE Using this tool, you can recover data from basic and dynamic volumes, including RAID volumes, and large hard disks that are more than 500 GB in size. It also supports recovery from removable storage media such as USB flash drives, ZIP drives, and memory sticks and cards.

32 6.2.5 Deleted File Recovery Tools (Cont.)
Undelete Tools: UNERASER is another data recovery product available from and it will run on Windows or DOS. Using this tool, you can access deleted files before Windows even starts, and it supports local files, compressed files, MBR backups and can access sectors of the disk drive with a disk viewer feature. can run from either a bootable floppy disk or a CD. R-Undelete Designed by By R-Undelete from r-Tools Technology ( Is a tool that restores deleted files, but it also provides an easy-to-use wizard that takes you through the steps of recovering a file. In addition, it provides features that allow you to reconstruct damaged graphics, audio, and video files. Before recovering a file, you can preview the file to determine if you actually want to restore it or leave it deleted. Can preview the file.

33 6.2.5 Deleted File Recovery Tools (Cont.)
Undelete Tools: Easy-Undelete Easy-Undelete ( is a tool that will not only restore files from hard disks using FAT12, FAT16, FAT32, and NTFS file systems but also restore files from non-Microsoft partitions such as Linux and Macintosh OS X. WinUndelete Available from It allows you to recover files from Microsoft file systems with the original create and modified storage dates. It provides a search feature to scan for specific files, and it allows you to filter results by extensions and file types. It also allows you to preview certain types of data before restoring them, such as Microsoft Office documents, images, and plain text.

34 6.2.5 Deleted File Recovery Tools (Cont.)
Undelete Tools: Restoration A free tool that was written by Brian Kato and is available for download from software distribution sites such as Fast and easy to use.

35 6.2.5 Deleted File Recovery Tools (Cont.)
Restoration

36 6.2.5 Deleted File Recovery Tools (Cont.)
Undelete Tools: Mycroft V3 Developed by Dibs USA Available at Runs from a bootable floppy disk Provides a search engine that is used to scan a computer for data on disk Can be used to determined whether there is evidence on the computer Can determine if additional investigation and acquisition of evidence is necessary.

37 6.2.5 Deleted File Recovery Tools (Cont.)
Undelete Tools: Recover My Files Created by GetData Software Development ( Available at Easy to use interface Allow you to recover data from hard disks and removable storage media such as floppy disks, Zip drives, USB, and camera cards.

38 6.2.5 Deleted File Recovery Tools (Cont.)
Undelete Tools: eData Unerase A free tool developed by Octanesoft Available at Easy to use interface with a wizard that takes you through the steps of recovering your data it allows you to specify whether you want to search for all deleted files or just specific types of files (for example, pictures, multimedia, documents, and Web pages) It also allows you to restore any files that have been deleted from the Recycle Bin or using

39 6.2.5 Deleted File Recovery Tools (Cont.)
eData Unerase

40 6.2.5 Deleted File Recovery Tools (Cont.)
Undelete Tools: Recover4all Professional A tool for recovering data from FAT12, FAT16, FAT32, NTFS, and RAID volumes available at allows recovery from encrypted drives that have not been encrypted with EFS, compressed drives, and Windows ME/XP protected files Its interface is easy to use, appearing similar to Windows Explorer

41 6.2.5 Deleted File Recovery Tools (Cont.)
Undelete Tools: File Scavenger A tool developed by QueTek Consulting Corporation available at It allows data to be recovered from hard disks formatted as FAT12, FAT16, FAT32, NTFS, floppy disks, ZIP disks, memory sticks, flash cards, RAID volumes, compressed drives, and other media. It provides an interface similar to Windows explorer It allows you to search for specific files using search strings and wildcards.

42 6.2.5 Deleted File Recovery Tools (Cont.)
Undelete Tools: VirtualLab designed for use on Windows 9x or later, as well as Apple Macintosh computers running OS 9 or later. available at it allows you to recover files from drives using FAT12, FAT16, FAT32, NTFS, HFS, or HFS Plus partitions. It can also be used to recover data from other media, such as Apple iPods, digital camera cards, and removable storage. Also can unformat partition to restore data from a formatted, damaged, or lost partition The retrieved files can be saved to another location such as network drive or another local disk.

43 6.2.5 Deleted File Recovery Tools (Cont.)
Undelete Tools: File Recover developed by PC Tools Software that is available at It supports FAT16, FAT32, and NTFS file systems and also IDE/ATA/SCSI hard drives, including drives larger than 8 GB. It provides an easy-to-use interface that allows you to quickly scan for files and also advanced features that allow you to search by all or part of the filename, specific extensions, or file size and scan either the logical drive or the physical hard disk.

44 6.2.5 Deleted File Recovery Tools (Cont.)

45 6.2.5 Deleted File Recovery Tools (Cont.)
Undelete Tools: Search and Recover Developed by iolo Technologies ( It allows the investigator to quickly recover deleted or destroyed files, folders, songs, pictures, videos, programs, critical system components, web pages, and messages in Microsoft Outlook and Outlook Express, Netscape, and Eudora It works with any hard drive or floppy drive, any drive format, and can even recover deleted items from digital cameras, MP3 players, USB flash drives, and other portable devices

46 6.2.5 Deleted File Recovery Tools (Cont.)
Undelete Tools: Search and Recover

47 6.2.5 Deleted File Recovery Tools (Cont.)
Undelete Tools: Zero Assumption Digital Image Recovery Zero Assumption Recovery at It is a free data recovery tool that works with digital images Digital photographs that are deleted from a digital camera can be retrieved using this tool It supports media such as CompactFlash, MemoryStick, SmartMedia etc that can be accessed through an Operating System Version 1.2 supports the following format: GIF JPEG TIFF CRW - Canon RAW data MOV - QuickTime movie WAV - Waveform audio

48 6.2.5 Deleted File Recovery Tools (Cont.)
Undelete Tools: Other data recovery tools: Badcopy Pro at SUPERFileRecover at DiskInternals Uneraser and NTFS Recovery at PC Inspector File Recovery is a free tool developed by CONVAR at O&O Unerase at Filesaver at Stellar Phoenix at Restorer 2000 at

49 6.2.5 Deleted File Recovery Tools (Cont.)
Undelete Tools: Other data recovery tools: R-linux is a free data recovery tool developed by r-Tools Technology and is available at PC ParaChute is a backup tool developed by UniTrends and is available at Recycle Bin Replacements Diskeeper Undelete from Diskeeper Corporation ( Fundelete at

50 6.2.5 Deleted File Recovery Tools (Cont.)
Undelete Tools: CD/DVD Data Recovery CDRoller at IsoBuster at CD Data Rescue developed by Naltech Software ( InDisk Recovery at Microsoft Office Repair and Recovery OfficeFIX is a suite of products from Cimaware Software ( Repair My Excel at Repair My Word at ( Compressed Files Zip Repair at

51 6.2.5 Deleted File Recovery Tools (Cont.)
Undelete Tools: Deleted Images eIMAGE Recovery is another tool developed by Octanesoft and is available at Canon RAW File Recovery Software (CRW Repair) at ( ImageRecall Software ( RecoverPlus Pro available at Zero Assumption Digital Image Recovery was a free stand-alone digital image recovery tool developed by Zero Assumption Recovery ( DiskInternals Flash Recovery at PC Inspector Smart Recovery is a free tool developed by CONVAR available at

52 6.2.6 Recovery Deleted Partitions
Partitioning a hard disk involves dividing the disk into volumes, which generally appear to the operating system as logical drives identified by different drive letters. The disk is divided into logical drives for the purposes of performance and organization of the data. Each logical drive can be formatted separately so that each one uses a different file system partitioning utilities do not erase the data on a disk; they only delete and manipulate the partition tables Generally, partition utilities will delete the entry for that partition in the partition table so that any space associated with the partition becomes unallocated. Even if the tool overwrites the first sector (sector 0) of the partition before removing it, a backup

53 6.2.6 Recovery Deleted Partitions (Cont.)
Delete Partition Using Windows Partition can be created and deleted in Windows using the Computer Management (Local) console. To open the console: 1. Right click My Computer Click Manage Expand Storage Click Disk Management

54 6.2.6 Recovery Deleted Partitions (Cont.)
Or 2. Click Start Click Control Panel Click Administrative Tools Double Click Computer Management Expand Storage Click Disk Management 3. Right clicking on partition, logical drive, or volume Click Delete Partition

55 6.2.6 Recovery Deleted Partitions (Cont.)
Disk Management in the Computer Management Console

56 6.2.6 Recovery Deleted Partitions (Cont.)
Delete Partition from the Command Line Needs to type commands from a prompt Two commands FDISK DISKPART

57 6.2.6 Recovery Deleted Partitions (Cont.)
FDISK used to create and delete partitions on computers running MS-DOS,Windows 9x,Windows NT, or Windows ME Switches: /MBR Rewrites the MBR /CMBR <disk> Re-creates the MBR on a specific disk /PRI: <size> Creates a primary partition /EXT: <size> Creates an extended partition /LOG: <size> Creates a logical drive /Q Prevents rebooting the computer automatically after exiting FDISK /STATUS Shows current status of hard drives /ACTOK Forces FDISK not to check disk integrity /FPRMT Disables prompt for FAT32 support

58 6.2.6 Recovery Deleted Partitions (Cont.)
FDISK To create partition, a screen will appear with a number of options

59 6.2.6 Recovery Deleted Partitions (Cont.)
FDISK To delete partition, a screen will appear with a number of options

60 6.2.6 Recovery Deleted Partitions (Cont.)
DISKPART used to create and delete partitions on computers running Windows 2000,Windows XP, or Windows Vista. Unlike FDISK, it doesn’t provide a series of menus that can be navigated to delete partitions Command: ADD Adds a mirror to a simple volume ACTIVE Marks the current partition as being the active boot partition ASSIGN Assigns a drive letter or mount point to the selected volume BREAK Breaks a mirror set CLEAN Clears the configuration information or all information off the Disk CONVERT Converts the disk from one format to another. This will allow you to convert the disk from dynamic to basic, basic to dynamic, MBR to GPT, or GPT to MBR.

61 6.2.6 Recovery Deleted Partitions (Cont.)
Command: CREATE Creates a volume or partition DELETE Deletes a missing disk, selected volume, or a selected partition DETAIL Provides details about a disk, partition, or volume EXIT Exits the program EXTEND Extends a volume HELP Prints a listing of Help commands IMPORT Imports a disk group LIST Prints a list of disks, partitions, or volumes INACTIVE Marks the current partition as an inactive partition ONLINE Online a disk that is currently marked as offline

62 6.2.6 Recovery Deleted Partitions (Cont.)
Command: REM Used to comment scripts REMOVE Removes a drive letter or mount point REPAIR Repair a RAID-5 volume RESCAN Forces DISKPART to rescan the computer for disks and volumes RETAIN Places a retainer partition under a simple volume SELECT Moves the focus on an object

63 6.2.7 Deleted Partition Recovery Tools
When a partition is deleted, its entry in the partition table is removed. deleting the partition is similar to removing the table of contents from a book; none of the information outside of the table is missing, it just requires other methods to find it. Tools: Partition Recovery available at for DOS and Windows Commercial software Image at DiskInternal Partition Recovery at GetDataBack at For NTFS and FAT

64 6.2.7 Deleted Partition Recovery Tools (Cont.)
NTFS Deleted Partition Recovery available at Handy Recovery available at Acronis Recovery Expert available at TestDisk supports Windows and Linux available at Scaven available at Recover It All! available at Partition Table Doctor available at

65 6.3 Data Acquisition and Duplicating Data

66 Electronic evidence is fragile by nature and can easily be modified, damaged, or destroyed.
Even booting a computer can erase temporary files, modify timestamps, or alter other data in addition to writing data and creating new files to the drive using the boot process. In addition, a computer could be booby trapped so that if a set of keys weren’t pressed at bootup or an incorrect password was entered, a program or script could run to reformat the hard disk or overwrite certain data making retrieval of evidence more difficult or impossible. It is because of this that data must be acquired or duplicated from a hard disk before any analysis takes place.

67 Data Recovery Contigencies
Investigators must make contingency plans when data acquisition failure occurs To preserve digital evidence investigators need to create a duplicate copy of the evidence files In case the original data recovered is corrupted investigators can make use of the second copy Use of at least two data acquisition tools are preferred to create copy of evidence in case the investigator’s preferred tool does not properly recover data

68 6.3.1 Data Acquisition Tools
Data acquisition is the act or process of gathering information and evidence. In computer forensics, this means using established methods to acquire data from a suspect computer or storage media to gain insight into a crime or other incident and potentially use it as evidence to convict a suspect. The goal of data acquisition is to preserve evidence, so any tools that are used should not alter the data in any way and should provide an exact duplicate. To prevent contamination, any data that is duplicated should be stored on forensically sterile media, meaning that the disk has no other data on it and has no viruses or defects. Forensic investigators acquire digital evidence using the following methods Creating a bit-stream disk-to-image file Making a bit-stream disk-to-disk copy Creating a sparse data copy of a folder or file

69 6.3.1 Data Acquisition Tools (Cont.)
To ensure that all data is acquired, a bit-stream image needs to be made of the suspect hard drive or other media. This will acquire any Deleted files, file fragments, slack space, and other data on the disk. If a standard image is created that does not acquire this data, then potential evidence may be unavailable to you. Standard images or clones of a machine can, however, be useful for backing up data or creating a duplicate of the operating system, applications, and data on the machine in case a disaster occurs.

70 6.3.1 MS-DOS Data Acquisition Tools
In the past software tools developed for forensics investigation were created for MS-DOS Investigators still make use of these tools as they are commercially available and easy to use Advantages of MS-DOS acquisition tools Fit in a forensic boot disk Require fewer resources to make bit-stream files User friendly Windows data acquisition tools allow the investigator to easily acquire evidence from a disk with the help of removable media such as USB storage devices These tools also can use Firewire to connect hard disks to the forensic lab systems Data acquisition tools in Windows cannot acquire data from the host protected area of the disk

71 DriveSpy DriveSpy enables the investigator to direct data from one particular sector range to another sector DriveSpy provides two methods in accessing disk sector ranges: Defining the absolute starting sector after a comma and the total number of sectors to be read on the drive Listing the absolute starting and ending sectors There are two commands in DriveSpy that is used for Data Manipulation: The “SaveSect” command Used to copy particular sectors on a disk to a file It copies the sectors as a bit-stream image so that the file is a duplicate of the original sectors The “WriteSect” command Used to regenerate the information acquired through the SaveSect command

72 DriveSpy (Cont.) The data preservation commands in the DriveSpy application are: The “SavePart” command Used to create an image file of the specified disk partition of the suspect's drive The “WritePart” command Counterpart of the “SavePart” command Used to recreate the saved partition image file that is created with the “SavePart” command

73 6.3.1.2 AccessData FTK Explorer
FTK Explorer acquires data that can help the investigator understand how other forensic tools in Windows work This tool was first designed to examine disks and bit-stream disk-to-image files created by using other forensic software FTK Explorer can make bit-stream disk-to-image copies of evidence disks This tool allows the investigator to acquire the evidence disk from a logical partition level or a physical drive level

74 6.3.1.2 AccessData FTK Explorer

75 Encase The Encase tool delivers advanced features for computer forensics and investigations It is the primary data acquisition tool that is used by forensic investigators Provides tools to conduct investigations with accuracy and efficiency Data can be acquired by: Disk to disk Disk to network server drive Parallel port with a laplink cable to the forensics workstation’s disk drive

76 Encase (Cont.)

77 6.3.2 Acquiring Data on Linux
Forensic Investigators use the built- in Linux command “dd” to copy data from a disk drive This command can make a bit-stream disk-to-disk file, disk-to-image file, block-to-block copy/ block-to-file copy The “dd” command can copy data from any disk that Linux can mount and access Other forensic tools such as AccessData FTK and Ilook can read dd image files

78 6.3.2.1 Dd.exe (Windows XP Version)
Works on Windows platform Detects unauthorized dialers User friendly program Command Syntax  dd.exe if=\\.\PhysicalDrive0 of=d:\images\PhysicalDrive0. img --md5sum --verifymd5 -- md5out=d:\images\PhysicalDri ve0.img.md5

79 6.3.2.2 Snapback Exact Server based backup program for Windows server
Copies byte by byte images of the server hard drives to the tape Keep tracks of records o Important features are: Full open file management Remote administration Backup scheduling

80 Snapback Exact (Cont.)

81 DatArrest Supports the tools for Forensic Data Seizure Works on all IBM compatible systems Recovers the deleted data User interface tool Any removable drives can back up through DatArrest

82 SafeBack SafeBack is also a MS-DOS data acquisition tool and can perform a CRC-32 calculation for each sector copied to ensure data integrity SafeBack creates a log file of all transactions it performs Functions: Creates disk-to-image files Copies data from a source disk to an image on a tape drive –Copies data from a partition to an image file Compresses acquired files to reduce the volume save-set sizes

83 6.3.2 Hardware Tools All methods of acquiring data don’t strictly involve software- based solutions. Hardware used in data acquisition may only provide write blocking (to prevent data being written to a suspect drive) or may be full systems that are used to acquire and analyze data in the field or a forensic lab.

84 6.3.2.1 ImageMASSter Solo-3 Forensic
A hardware tool developed by Intelligent Computer Solutions ( designed for computer forensic purposes. It is a portable, hand-held device that can acquire data from suspect machines at speeds exceeding 4 GB per minute. it can acquire data from IDE, SATA, and SCSI hard drives. Connects the hard disks directly to the machine using a drive-to-drive interface or external firewire/USB interface, can create an exact replica of data from one or two drives simultaneously without any reduction in speed.

85 6.3.2.2 ImageMASSter Solo-2 Forensic
Also a hardware tool developed by Intelligent Computer Solutions ( designed for computer forensic purposes. Can create an image of any data on the machine by attaching it to a suspect computer through a firewire or USB port. Uses software to boot the machine Data on the origiinal machine is protected during acquisition to write-bocking features in the device.

86 ImageMASSter 60007SAS A powerful hardware tool developed by Intelligent Computer Solutions ( designed for computer forensic purposes. Used for creating images of data from suspect machines It is a useful part of any forensic lab. Can be used to duplicate IDE, SAS, SATA, and IDE hard drives, migrate server data from SCSI to SAS/SATA. acquire data from multiple hard disks store multiple images on one hard drive. the only duplication system on the market that supports SAS (Serial Attach SCSI) hard drives can copy multiple drives simultaneously at high speeds. It also includes a 1GB network connection that can be used to transfer files to and from a network drive. To acquire and analyze data, the system provides a Windows XP-based interface that allows you to copy data from Windows, Macintosh, and UNIX file systems.

87 RoadMASSter-3 A data acquisition and analysis toll designed for use inside of a forensic lab. Also designed by Intelligent Computer Solutions ( Designed to create an image and analyze data acquired from suspect hard drives. It can connect to an unopened computer using Firewire and USB ports, and I directly to IDE, SATA, SAS, and SCSI hard drives. It can also acquire data from multiple drives to a single target drive, making acquisition faster. Allows you to analyze data immediately. I t has a 15-inch color display in its case that allows you to view the data stored in the image file so that you can determine whether any evidence exists on the machine while you’re still in the field.

88 Disk Jockey IT A portable, hand-held hardware tool developed by Diskology and is available at It is the smallest write-blocking and disk copy device available for computer forensics. It can be used as a write-blocking device for data acquired using Firewire and USB connections to a suspect computer. The device can then be connected to a Macintosh or Windows computer in write protect mode to analyze the data without fear of altering the data.

89 6.3.3 Backing Up and Duplicating Data
Investigators need to worry about destructive devices that can be planted in the system by the owner. Evidence can be destroyed if the investigator is not careful Data fragments can be overwritten and data stored in the Windows swap file can be altered or destroyed Data duplication is essential for the proper preservation of digital evidence

90 R-drive Image R-Drive Image is an important tool that provides disk image files creation for backup or duplication purposes Disk image file contains exact, byte-by-byte copy of a hard drive, partition or logical disk R-Drive can create partitions with various compression levels freely without stopping Windows OS These drive image files can then be stored in a variety of places, including various removable media such as CD-R(W) or DVD-R(W) , Iomega Zip or Jazz disks

91 R-drive Image (Cont.)

92 6.3.3.2 DriveLook The DriveLook Tool has the following features:
Indexes the hard drive for the text that was written to it Searches through a list of all words stored on the drive View the location of words in the disk editor Switches between different views Uses image file as input Access remote drives through serial cable or TCP/IP

93 DriveLook (Cont.)

94 DiskExplorer DiskExplorer aides examiners to investigate any drive and recover data Two versions of DiskExplorer exist: DiskExplorer for FAT Disk Explorer for NTFS The tool also has provisions to navigate through the drive by jumping to: Partition table Boot record Master file table Root directory

95 DiskExplorer (Cont.)

96 Summary Investigators can acquire data in three ways: creating a bit-stream, disk-to-image file, making a bit-stream disk-to-disk copy, or creating a sparse data copy of a specific folder path or file The “SavePart” command retrieves information about the partition space in the hard disk The “dd” command in Linux can make bit-stream disk-to-disk copy and disk-to- image file copy

97 Summary From forensic investigator’s perspective:
Copy is a process to make a replica of including only file information, not slack space or unallocated space Backup is files copies for future rstoration Image is a file copy of complete disk used for duplication or restoration Bit-stream image is an exact replica of all sectors including every 1 and 0. This includes slack space, unallocated space, and the swap file. Lossless compression is an acceptable method for computer forensics because it does not change the data Lossy compression alters the data, leading to loss of data

98 End of Chapter 6


Download ppt "SAK 4801 INTRODUCTION TO COMPUTER FORENSICS Chapter 6 Acquiring Data, Duplicating Data and Recovering Deleted Files Mohd Taufik Abdullah Department of."

Similar presentations


Ads by Google